[Secure-testing-team] debsecan announcement
Moritz Muehlenhoff
jmm at inutil.org
Thu Jan 19 11:59:28 UTC 2006
Florian Weimer wrote:
> I intend to send a real debsecan announcement to debian-devel and
> debian-security. A draft is included below. Comments are
> appreciated.
Before bringing this to a wider audience more false positives and
non-issues should be weeded out (or at least document it very
clearly that most are theoretical issues, that do not affect your
system's security in a real-world situation, e.g. by setting the
display default to >= medium).
E.g. the first four entries in the list of "vulnerabilities w/o
updates" for my notebook are all more or less moot:
CVE-2004-0175 Directory traversal vulnerability in scp for OpenSSH...
<http://idssi.enyo.de/tracker/CVE-2004-0175>
- ssh, openssh-server, openssh-client (remotely exploitable)
CVE-2004-1617 Lynx allows remote attackers to cause a denial of...
<http://idssi.enyo.de/tracker/CVE-2004-1617>
- lynx (remotely exploitable, low urgency)
CVE-2004-2531 X.509 Certificate Signature Verification in Gnu...
<http://idssi.enyo.de/tracker/CVE-2004-2531>
- libgnutls11 (remotely exploitable, low urgency)
CVE-2005-0406 A design flaw in image processing software that...
<http://idssi.enyo.de/tracker/CVE-2005-0406>
- libmagick9, imagemagick (low urgency)
Cheers,
Moritz
More information about the Secure-testing-team
mailing list